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1. INTRODUCTION 


1.1 Preamble 


Smartphones and tablet devices have penetrated all parts of European society. Mobile broadband 
subscriptions in Europe have reached unprecedented levels in recent years, making the near ubiquitous 
ability to access internet-enabled content, applications and services a reality for the vast majority of 
European citizens. Individuals can now enjoy the latest films, TV shows or music, play games or simply 
communicate with their friends whenever they choose, from almost anywhere in the world. 


Equally, this development has opened new doors for current and emerging players in the advertising 
industry to interact with consumers in exciting new ways and provide them with increasingly customised 
and on the spot messages. Mobile devices have turned into truly essential marketing tools; this in turn has 
enabled the creation of a rich and vibrant mobile advertising ecosystem, which is progressively global in 
nature. 


Data sits at the heart of this system, fuelling the continuous innovation that has been made available by the 
constant evolution of consumer technology. Harnessing the power of data allows the advertising industry 
to continue to make digital content, services and applications available to consumers at little or no cost on 
an enormous scale and offer them a more relevant and reciprocal brand experience. 


The European advertising industry recognises that with this value proposition comes responsibility. 
Handling data for the purpose of serving more relevant advertisements based on the consumer’s interests 
necessitates respect from users, and industry knows that transparency and user control are the tools with 
which this can be achieved. The consumer trend to move away from the desktop environment to the mobile 
space has amplified this need in more than ways than one and raised some distinctive issues that are 
unique to mobile devices. These include: 


e Mobile devices are often the most personal devices users own and are normally “always on” 


e A mobile device is portable by default with access to GPS and can typically connect to the internet 
via an operator's data network and a wireless local area network (WLAN) 


e The screens on mobile devices are characteristically smaller than the ones usually used with 
desktop computers and are normally controlled through simple or multi-touch gestures 


e Both these features — the screen size and the touchscreen functionality — also imply different 
expectations from a usability point of view 


e The technology to serve advertising on mobile devices in some instances differs from the desktop 
world 


Despite this development, industry’s early commitments to give consumers greater control 


transparency over behavioural advertising has preceded! this changing landscape. 


In April 2011 the industry adopted the European Industry Self-Regulatory Framework on Data Driven 
Advertising (hereafter “the Framework”). The Framework is based upon seven key principles: 
notice, user choice, data security, sensitive segmentation, education, compliance and 
enforcement, and review. The _ European Advertisin Standards Alliance (EASA) _ Best 
Practice Recommendation on OBA builds on the Framework, allowing self-regulatory organisations 
(SROs) in Europe to incorporate the key principles into their existing national advertising codes in a 
consistent manner reflecting the pan-European nature of the initiative. Combined, these documents 
build the foundation of the EU self-regulatory programme on behavioural advertising, which has the 
principles of transparency and control at its core. The European Interactive Digital Advertising 
Alliance (EDAA) administers this programme. 


The Framework was drafted with the desktop environment in mind. In light of the technological 
evolution described above, a set of recommendations was drafted on how the principles should be 
applied to the mobile space to ensure the rights of users are protected across the devices they use. 
It recognises the enhanced need for flexibility presented by the varying constraints of mobile 
devices themselves, and offers principles-based recommendations without seeking to be overly 
prescriptive on design or User-Interface (UI) decisions that companies may implement over time. 


This effort also recognises that providing recommendations on how to adapt the EU Framework to the 
mobile environment presents the next logical step in the implementation of European digital advertising 
self-regulation. 


1.2 Scope 


The recommendations set out in this document provide an addendum to the Framework (hereafter “the 
Addendum”) and should be read in conjunction with it. The Addendum seeks to show businesses how to 
apply the Framework’s principles — notably notice and choice — in the mobile environment. 


The Addendum’s obligations are primarily aimed at Third Party intermediary businesses operating in the 
mobile advertising ecosystem, such as ad networks, ad tech companies, data aggregators, Demand 
Side Platforms (DSPs) and Supply Side Platforms (SSPs), as well as App Providers. We recognise that 
due to the nature of the mobile landscape, the Addendum will have relevance for a number of 
mobile stakeholders that have previously been outside the scope of the Framework, in 
particular the app ecosystem. 


Different players in the digital advertising ecosystem may have different roles and responsibilities under the 
Framework. Businesses wishing to join the Framework on the basis of the recommendations set out in this 
Addendum are expected to follow already-established procedures as determined by the EDAA and 
available at htto:/Avww.edaa.eu/certification-process/join-the-programme/. Depending on the business 
model employed, these can include: 

§ Obtaining a licence for using the OBA Icon 


1 See European principles 
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and 


§ Participating on the User Choice Platform (www.youronlinechoices.eu) 
§ Self-certification 


§ Third-party verification of the self- certification process by an independent Certification Provider, at 
the end of which successful companies are awarded the EDAA Trust Seal. 


Licensing agreements already in place under the Framework remain valid and licensees do not have to 
incur additional costs for using their licence in the mobile environment. Also, businesses that have been 
awarded the Trust Seal do not need to submit to another auditing process. However, mobile operations are 
subject to the audit once this is up for renewal. 


2. THE PRINCIPLES IN THE MOBILE ENVIRONMENT 


The Framework operates on the basis of a definition of Online Behavioural Advertising (OBA), which we 
will modify as follows for the mobile environment: 


“Online Behavioural Advertising means the collection of data from a particular computer or device regarding 
web viewing behaviours or mobile app use over time and across multiple web domains and/or mobile apps 
not under Common Control for the purpose of using such data to predict web user preferences or interests 
to deliver online advertising to that particular computer, mobile app or device based on the preferences or 
interests inferred from such web viewing or mobile app use behaviours. Online Behavioural Advertising 
does not include the activities of Web Site Operators, App Providers, Ad Delivery or Ad Reporting, or 
contextual advertising (e.g. advertising based on the content of the web page being visited, a consumer’s 
current visit to a web page, use of a mobile app or a search query).” 


There are a number of differing laws which may apply to data practices covered in the Framework and this 
Addendum, particularly in cases where the data collected or processed relates to an identified or identifiable 
natural personal and thereby comprises personal data or relates to a mobile device that is personal to the 
user. Given that the applicable law may vary from country to country, compliance with the Framework and 
this Addendum does not guarantee compliance with any applicable law and is not a substitute for such 
compliance. Responsibility for the lawfulness of processing data for the purpose of the Framework and this 
Addendum therefore lies with the appropriate entity. Nevertheless, in all instances these recommendations 
should be construed so as to be compatible with applicable law. This is particularly the case for instances 
where national laws require the user’s consent for data collection and use practices covered in this 
Addendum (see below for definitions). 


It becomes clear from the above definition that behavioural advertising delivered via mobile web browsers 
shall be fully covered by the Framework, as browser data is agnostic of the device used. Third Parties are 
therefore advised to follow the Framework to the same extent as in the desktop environment (where 
practicable). We recognise, however, that behavioural advertising on mobile devices involves the use of 
technologies other than cookies for the purpose of engaging in online or mobile advertising based on user 
preferences or interests. In the following, and we therefore recommend how the Framework should apply 
in instances of different data practices in the mobile environment. 


2.1 Definitions 


The definitions included in the Framework remain fully valid. Nevertheless, differences between the desktop 
and mobile environments make it necessary to introduce new definitions as well as to clarify existing ones 
where they relate to Web Site Operator (App Provider) and the OBA User Choice Site (User Choice 
Mechanism). These are set out below. 


App Provider 


An App Provider is the owner, controller or operator of the mobile application. 


Cross-App Data 


Cross-App Daia is data collected from a particular [computer or] device regarding web viewing behaviours 
or mobile app use over time and across mobile apps [not under Common Control] for the purpose of using 
such data to deliver advertising based on user preferences or interests to that particular device. 


Third Parties can collect data across mobile apps that are not under their Common Control, on the same 
mobile device. We confirm that this practice shall fall under the Framework’s remit where such data is 
used for the purpose of engaging in online or mobile advertising based on user preferences or 
interests. 


Cross-App Data includes unique values assigned or attributed to a user, device, sim card or other enabling 
component, mobile app or a unique combination of characteristics associated with a device where 
combined with Cross-App Data. The definition also covers the case where previously collected data is 
associated or combined to create Cross-App Data. 


Location Data 


Location Data is data obtained from a device about the physical location of an individual device that is 
sufficiently precise to locate a specific individual or device. 


Mobile devices are unique in their ability to allow for their localisation. This is significant insofar as this 
permits companies to communicate with both a group of devices as well as with an individual device only. 
We believe that notice of, and choice over, this practice shall also fall under the Framework where this data 
is used for engaging in [online or] mobile advertising based on user preferences or interests. 


Location Data includes unique values assigned or attributed to a device or a unique combination of 
characteristics associated with a device where combined with Location Data. For example, Location Data 
may include data obtained from cell tower or Wi-Fi triangulation techniques, latitude-longitude coordinates 
obtained through GPS technology, or beacons using Bluetooth technology. This is relevant for both 
behavioural advertising based on marketing communications delivered to a group of devices as well as an 
individual device only. 


Location data does not include registration details, including post codes, city name or billing address, or 
general geographic information derived from an IP address. 


Personal Device Data 


Personal Device Data is calendar, address book, phone/text log, or photo/video data or any other data 
that is not created by or through the App Provider or Third Party and that is stored on, or accessed, through 
a particular device or mobile app. 


Companies may seek to access data created by a consumer that is stored on or accessed through a 
particular device or mobile app, such as the calendar, address book, phone/text log, or photo/video data 
for the purpose of engaging in online or mobile advertising based on user preferences or interests. We 
believe that notice of and choice over this practice shall also fall under the Framework. 


User Choice Mechanism 


User Choice Mechanism means a mechanism for users to exercise their choice with respect to the 
collection and use of data covered by the Framework and this Addendum by one or more Third Parties. 


This refers to the mobile-optimised OBA User Choice Site (www.youronlinechoices.eu), as well as any 
industry-wide future companion choice mechanism or setting for the data categories covered in this 
Addendum. It may also include instructions for device-specific controls. 


2.2 Principle | - NOTICE 


2.2.1 Third Party Notice to Consumers 


Third Parties should give clear and comprehensible notice on their web sites or mobile-optimised site(s) 
when accessed by the user via a mobile device. This notice shall describe their Cross-App, Location Data 
and Personal Device data collection and use practices (or a combination thereof) for the purpose of 
delivering online or mobile advertising based on user preferences or interests. Such notice should include 
clear descriptions of the following: 


a. Their identity and contact details; 
b. The fact that this data is collected and used for the purpose of providing online advertising based 
on user preferences or interests including an indication of whether any data is “personal data” or 


“sensitive personal data” as defined by Directive 95/46/EC or any successive legislation; 


c. The purpose or purposes for which this data is processed and the recipients or categories of 
recipient not under Common Control and to whom such data might be disclosed; 


d. An easy to use mechanism for exercising choice with regard to the collection and use of the data 
for the purpose of delivering [online or] mobile advertising based on user preferences or interests and 
to the transfer of such data to Third Parties for such purposes; 


e. The fact that the Company adheres to the Principles of the Framework; and 


f. A link to a User Choice Mechanism. 


2.2.2 Third Party Enhanced Notice to Consumers 


In addition, Third Parties should provide enhanced notice of the collection of Cross-App, Location Data and 
Personal Device data (or a combination thereof) for purposes of online or mobile advertising based on user 
preferences or interests as follows: 


(a) in or around the advertisement (via the Icon)?; and 
(b) if there is an arrangement with the App Provider for such notice: 


I. before the Mobile App is installed, as part of the Mobile App being downloaded or opened 
for the first time, or at the time the relevant data is collected; and 


Il. in the Mobile App settings or relevant Privacy Policy. 


Third Parties may (at the discretion of the Third Party) provide additional information to users concerning 
the Third Party’s collection, receipt and use of other types of data (i.e. not Cross-App Data, Location Data 
or Personal Device Data) which are used for purposes of online or mobile advertising based on user 
preferences or interests in combination with or in addition to Cross-App Data, Location Data or Personal 
Device Data. 


2.2.3 App Provider Notice 


When an App Provider permits a Third Party to collect and use Cross-App, Location Data and Personal 
Device data (or a combination thereof) for the purposes of online or mobile advertising based on user 
preferences or interests, the App Provider should provide adequate disclosure of this arrangement. 


The App Provider does not need to provide such notice in instances where the Third Party provides 
enhanced notice as set out in 2.2.2. 


2.3 Principle Il - CHOICE 

Following on from the Framework, each Third Party should make available a mechanism for mobile users 
to exercise their choice with respect to the collection and use of data covered in this Addendum for purposes 
of online or mobile advertising based on user preferences or interests and the transfer of such data to Third 


2 This provision shall not preclude the use of other industry-wide means of providing enhanced notice in 
the future. 
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Parties for such purposes. Such choice should be accessible via the notice described above and via a User 
Choice Mechanism. Please refer to the Framework for the full set of requirements under Principle II. 


2.4 Principles Ill - VII 

We confirm that Principles III — VII fully extend to the types of data covered in this Addendum. However, 
where the Addendum relates to Principle VI (Compliance and Enforcement Programmes), we recognise 
that a fully operational User Choice Platform for all recommendations included in the Addendum is not 
yet available. Failure to comply with these recommendations shall therefore not trigger any enforcement 
programmes during the implementation phase. Please refer to the Framework for the full set of 
requirements under Principles III — VII. 


